Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-7706bis
Wes Hardaker <wjhns1@hardakers.net> Wed, 13 November 2019 23:49 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 564EC120018; Wed, 13 Nov 2019 15:49:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnXtD_lLkI8s; Wed, 13 Nov 2019 15:49:22 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DC381200B9; Wed, 13 Nov 2019 15:49:22 -0800 (PST)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id C55182CD37; Wed, 13 Nov 2019 15:49:21 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Tim Wicinski <tjw.ietf@gmail.com>
Cc: dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
References: <CADyWQ+EOj_G=qYSn15QCvi21nCyf=62=sB+RrvzAJKq51Xqivg@mail.gmail.com>
Date: Wed, 13 Nov 2019 15:49:21 -0800
In-Reply-To: <CADyWQ+EOj_G=qYSn15QCvi21nCyf=62=sB+RrvzAJKq51Xqivg@mail.gmail.com> (Tim Wicinski's message of "Thu, 31 Oct 2019 11:48:24 -0400")
Message-ID: <yblr22bcp6m.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9l1Osmgptw7swacsv4E3X0JE15o>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-7706bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 23:49:26 -0000
Tim Wicinski <tjw.ietf@gmail.com> writes: > This starts a Working Group Last Call for draft-ietf-dnsop-7706bis Up front: as you know, I support this document fully being the driver behind localroot.isi.edu that's mentioned in the document. That being said, I do want to raise a few points/suggestions: 1. "... because negative answers are sometimes cached for a much shorter period of time." I'd like to suggest amending that with "time and because many queries received at the roots are for leaked or garbage strings as well as some many that are generated algorithmic by applications attempting to detect NXDOMAIN rewriting". In particular, the vast vast majority of the junk is not from low negative caching, but from the fact that each queries are frequently different random garbage strings and the vast majority of those are generated by Chromium based products (and probably others at this point too). 2. The next paragraph talks about the benefits being weak for true responses, due to caching, but as the root becomes more and more flat as new gTLDs are added (with another round likely "soon"), this statement will become more and more false. 3. Though the document has "relaxed" the specification to not require a loopback address/interface, this is still functionally a no-op since it still requires only serving data from the localhost. That's not really relaxing it much; it just means functionally the same thing with a slightly wider view of how to implement it. 4. In the second to last paragraph in the introduction, it might be worth adding 'Some resolver software supports being both an authoritative server and a resolver but separated by logical "views", allowing a local root to be implemented within a single process'. And you could even list the appendixes, where most of the example configuration actually makes use of this notion. 5. In section 3, there are broken sentences: "In a system that is using a local authoritative server for the root zone. if the contents of the root zone cannot be refreshed before the expire time in the SOA, the local root server MUST return a SERVFAIL error response for all queries sent to it until the zone can be successfully be set up again." I think this is meant to be "In a system that is using a local authoritative server for the root zone, if the contents of the root zone cannot be refreshed before the expire time in the SOA, the local root server MUST return a SERVFAIL error response for all queries sent to it until the zone can be successfully be set up again." 6. regarding the next paragraph: "In a resolver that is using an internal service for the root zone. if the contents of the root zone cannot be refreshed before the expire time in the SOA, the resolver MUST immediatly switch to using non-local root servers." You're prescribing implementation choices here, not the goal: the goal is to prevent resolvers from returning stale data (though.... with serve-stale in effect too.......). There are two immediately obvious choices for how to do this: 1) switch to non-local root service, as you state. or 2) return SERVFAIL from the resolver. E.G., I'm not sure existing implementations, including the config in the appendix, follow this MUST. To aggrevate this issue further: I'm not sure how a resolver would *know* that the data is stale from the local root it is querying (there are hints of this later, but I have issues with that too; see below). Functionally, this text is mandating an architecture that is not likely implemented today and is not likely to be implemented in the future (I'm guessing, but happy to be proven wrong). Wouldn't it be better to state simply "Resolvers MUST NOT return stale data." But again, I'm not sure how to implement that without requiring a very specific binding between the resolver and the local root server, which is rather special-case. You have already prescribed that the local root server itself should return SERVFAIL and I think that's really all you need to, or can, prescribe. 7. In the last paragraph in 3, it requires the administrator to check whether or not the SOA is fresh and shows a potential mechanism for doing that. But, even that is subject to fail unfortunately. Again, you're trying to get the resolver to be intelligent with data that it doesn't have access to. That requirement should be put into the local root server instead, and again is covered by having it return SERVFAIL on out-of-compliance data. The resolver half of the deployment can not test this easily, but the (potentially pseudo-)authoritative server can. That's what the requirement should be aimed at. 8. The security considerations talk about limiting damage from broken deployments to "any other system that might try to rely on an altered copy of the root.". I think, however, that the damage may be seen by any client that depends on the resolver making use of a local root server when the local root server becomes problematic. IE, if the resolver is serving an enterprise and its localhost accessible local root has a problem, the entire enterprise will have a problem. 9. In appendix A, can you please add "localroot.isi.edu" as a domain from which you can AXFR the zone too? It's mentioned in the next section. 10. For A.1, second paragraph about LocalRoot, can you replace with the following text (assuming you agree with it): The LocalRoot project (<https://localroot.isi.edu/>) is a service that embodies many of the ideas in this document and is operated in cooperation with USC/ISI's root server. It distributes the root zone by AXFR, but also offers DNS NOTIFY messages when the LocalRoot system sees that the root zone has changed, providing potentially faster updates to local root implementations. It additionally provides secured AXFR transfers, which helps defeat issues with unsigned glue records being potentially modified in transit (see Section 2). 11. For B.1, example config for Bind 9.12 - why is this not bind 9.11 (too)? It's still a viable platform and is supported till 2021 Q4. (also, it would be worth adding localroot.isi.edu to that and other similar configs as well) 12. For B.3 (bind 9.14 with mirror): it's worth adding a note that by using the mirror implementation you're actually using less upstreams because it won't include the ICANN xfr (or localroot) sources. 13. B.3 says "when it is released" referencing 9.14. It was released early this year I believe. Phew. Sorry! But I do hope these are helpful, and again: I certainly support this document going forward. -- Wes Hardaker USC/ISI
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… A. Schulze
- Re: [DNSOP] [Ext] Re: Working Group Last Call for… Paul Hoffman
- Re: [DNSOP] [Ext] Re: Working Group Last Call for… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Bob Harold
- Re: [DNSOP] Working Group Last Call for draft-iet… Matthew Pounsett
- Re: [DNSOP] Working Group Last Call for draft-iet… Wes Hardaker
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Wes Hardaker